Skip to main content

Author: Scott Forehand

Scott is an experienced professional and recognized leader specializing in the design and implementation of enterprise virtualization, enterprise storage, server infrastructures and operations. A self-starter able to work both independently and in a team-oriented environment, Scott has a proven ability to create and automate solutions to improve productivity, reliability and performance. Throughout his professional career, Scott has proven successes implementing technology and service improvement initiatives and has a demonstrated ability to think strategically about business, create technical definition around objectives in complex situations, develop solution strategies, motivate and mobilize resources, and deliver end-to-end technology solutions. Scott has achieved multiple industry recognized certifications in virtualization, networking, cloud, storage, converged infrastructure, hyperconverged infrastructure and other technologies, and is honored to be a VMware vExpert in 2018-2022, and vExpert EUC 2020-2022.

Group Policy Security Filtering

Scott Forehand

An administrator can add both computers and users to security groups. Then the administrator can specify which security groups are affected by the GPO by using the Access Control List (ACL) editor. To start the ACL editor, select the Security tab of the property page for the GPO. Then set access permissions using discretionary access control lists (DACLs) to allow or deny access to the GPO by specified groups. By changing the Access Control Entries (ACEs) within the DACL, the effect of any GPO can be modified to exclude or include the members of any security group. For more information about security groups, see How Security Groups are Used in Access Control.

To apply a GPO to a specific group, both the Read and Apply Group Policy ACEs are required. By default, all Authenticated Users have both these permissions set to Allow. Because everyone in an organizational unit is automatically an Authenticated User, the default behavior is for every GPO to apply to every Authenticated User. However, domain administrators, enterprise administrators, and the LocalSystem account already have full control permissions, by default, without the Apply Group Policy ACE. Therefore, because administrators are also …

Read More

Group Policy WMI Filtering

Scott Forehand

Group Policy WMI Filtering was introduced with Windows XP, and is a great way to add a decision on when to apply a given group policy. WMI Filters, written in WMI Query Language (WQL), allow an administrator to specify a WMI-based query to filter the application of a GPO. WMI Filtering can be very useful when users or computers are located in a relatively flat OU structure in Active Directory, for example. WMI Filters can also allow you to apply specific policies based on server roles, operating system version, network configuration, and other criteria. Windows evaluates these filters in the following order of overall Group Policy Processing:

  1. Policies are located in hierarchy.
  2. The WMI Filters are checked.
  3. The security settings are checked.
  4. A policy is either filtered or applied depending on the results of the previous checks.

Breakdown: We locate all of the policies that exist in the user or computer’s Local, Site, Domain, and OU hierarchy. We then determine if the WMI Filter (if any are defined) returns TRUE. We then verify that the user or computer has both Read and Apply group policy permissions for the GPO. Once all of that is validated, the group policy is …

Read More

Group Policy Best Practices

Scott Forehand

I thought it might be useful to outline the approach that I take to designing group policy infrastructure in environments that I manage. Architecting group policy can be a daunting and time consuming task, so it’s good to know how it works before you start. All of what you’re about to read was gathered from Microsoft documentation, and should be accurate to the date of this writing. Everything you’re about to read has been compiled over the last 10 years from a combination of Microsoft best practices and real world experiences tweaking GPOs in production environments.

I use the terms functional and monolithic to describe the two possible approaches:

  • Functional GPOs Contain one or more settings from a single policy area and often target a single function (e.g., Browser Security, Workstation Lock)
  • Monolithic GPOs Contain a variety of settings from multiple policy areas (e.g., Administrative Templates, security, Group Policy preferences)

The majority of the corporate environments I’ve managed contain Functional GPOs when I start. Most environments should have a mix of both Monolithic and Functional GPOs. This is driven by factors such as the need for delegating certain GPOs to a particular business unit administrator, the desire to manage …

Read More

VMware Configuration Maximums Tool

Scott Forehand

It’s finally happened! VMware has just made our lives a lot easier. If you manage a VMware environment, you have to know the configuration maximums for each VMware product and version in your environment. If you’re taking a VMware certification exam, you have to know the configuration maximums for each product and version in the blueprint for the exam you want to take.

Now, all of that information is readily available on the web, eliminating the need to search for the documentation you need and write everything out in your own spreadsheets. Check out the new VMware Configuration Maximum Tool here: https://configmax.vmware.com/

As of this writing, this tool contains the configuration maximums for vSphere 6.0, 6.5, and 6.5 Update 1. I’m sure more versions, and more products will be added to the tool in the future, so bookmark it!

This handy tool allows you to select your vSphere version, and then choose to display maximums only for the technology you choose. You can even compare the configuration maximums across different versions, which is really useful if you want to see what improvements and enhancements have been made that may lead to a small rearchitecture effort in your environment, or plan …

Read More

Veeam Availability Suite 9.5 Active Directory Deep-dive

Scott Forehand

Technology used to create this post: Veeam Backup & Replication 9.5, VMware vSphere Web Client, Microsoft Windows Server 2016

The vast majority of corporations use Active Directory (AD) in their environment for centralized management and authentication. Active Directory provides multimaster replication, which means that you can set up several domain controllers that will synchronize data between every domain controller in a domain when a change has been made to any of those domain controllers. The Active Directory Clock is an incremental sync when it replicates between domain controllers. Veeam Backup & Replication notifies the other domain controllers that a restore is happening,  and that the clock will be turned back to allow the newest changes can be synchronized between all of the domain controllers in the domain. To accomplish this, Veeam Backup & Replication uses native VSS integration to back up Active Directory, including NTDS Writer and DFS Replication Writer. That integration allows for a complete backup that can be restored properly without damaging other data in the AD JET database.

If you’re curious what VSS Writers are on one of your servers, this script will get all VSS Writers from <localhost> and output a grid:

$VssWriters = Get-VssWriters

Read More

Simplifying Veeam Backups Using VMware Tags

Scott Forehand

If you’re lazy like me, you hate having to open 26 different applications when you provision a new virtual machine. Lets eliminate the need to open one of those applications, Veeam.

Traditionally, when you provision a new virtual machine, you would open Veeam Backup & Replication Console and add that specific VM to one of the Backup Jobs you have configured. You’d have to make sure that you’ve correctly configured things like encryption, application-aware backups, exceptions and credentials for the VM you’ve provisioned.

Now, I don’t know about you, but I hate extra work. Here’s how you can solve this problem with a little bit of automation using VMware Tags and Veeam Backup & Replication.

Note: VMware Tags require vCenter version 5.1 and above. Reference

Step 1: Create Backup Tags in VMware vCenter
For my needs, I created quite a few VMware Tags. One for each of the Veeam Backup Jobs I needed, and a few to dynamically change the settings of the backup job for specific virtual machines. Here’s how they’re laid out:

  1. Create a new category for your backup tags called Backup. For this category, you should set Cardinality to Many tags per object, and you

Read More

VMware vSphere 6.5 Upgrade eBook

Scott Forehand

Emad Younis is a Staff Technical Marketing Architect working in the Cloud Platform Business Unit, part of the R&D organization at VMware. His current focuses are the vCenter Server Appliance, vCenter Server Migrations, and VMware Cloud on AWS. He’s written tons of blogs, whitepapers and eBooks for VMware, including the eBook that this blog is about. For those of us who are migrating from older vSphere versions (like 5.5,  which is end of support in September) to vSphere 6.5, this eBook is a must have resource.

This free eBook was written to help guide VMware customers through every phase of the vSphere 6.5 upgrade process. It’s broken down into three phases:

Phase 1: Pre-upgrade – The work that you need to do before starting an upgrade.
Phase 2: Upgrade – Outlining the steps of the upgrade process and execution.
Phase 3: Post-Upgrade – Validating with business owners that everything went according to plan.

Each phase outlines minute details things that you should consider during the upgrade process, and also links to resources that will help make your upgrade a successful one. Included in the eBook are two common upgrade scenarios to help guide you through the upgrade process from …

Read More

VMware Certification and You

Scott Forehand

VMware certification is a great way to boost your worth in the market. In addition to the employer recognition and compensation benefits you’ll get, VMware certifications come with a pretty big list of perks. You’ll get professional recognition of your technical knowledge and skills, greater opportunities for career advancement, official transcripts from VMware that you can link, VMware Digital Badges for your earned certifications, you’ll be granted use of the logos that come with your certification, you’ll get access to the exclusive VMware certification portal & logo merchandise store. If that wasn’t enough, you also get discounts from VMware Press (you can use this to purchase materials for higher certifications, or just books to keep you at the bleeding edge of VMware technologies and best practices), discounted admission to VMware events like VMworld, and invitation to beta exams and classes to help you stay current and certify at a discounted rate.

Getting started on a VMware certification track is easier than you might think. They’ve even provided this handy roadmap for each of the tracks offered. As of this writing, there are four certification tracks to choose from:

  1. Data Center Virtualization (DCV) – This is by far the most popular

Read More

VMware Tagging and Why You Should Care

Scott Forehand

VMware Tags were introduced with vSphere 5.1, and replace the legacy Custom Attributes feature from earlier versions. Tags allow you to add valuable metadata to every object in your inventory, which makes them searchable and sortable by those tags. How can this be used, you ask? Well I’ll tell you how I use tags.

I use tags to control which backup a virtual machine is a part of, to control the settings that should be applied during the backup, to identify the priority of virtual machines for business continuity and disaster recovery purposes, to define the patch group the virtual machine is in, to identify server roles and installed applications, to create dynamic groups of machines in Turbonomic Operations Manager. One of the guys on my team even built a dynamic list of servers on our SharePoint site that allows us to see at a glance every server in our environment and filter it to find the information we need quickly.

What is a Category?
Categories allow you to group related tags together. When you define a category, you can also specify which object types its tags can be applied to and whether more than one tag in the category …

Read More

The Gamification of IT Learning

Scott Forehand

It has been around for a while now  but I’d like to introduce you to CloudCred, by VMware. With CloudCred, you can earn rewards for the things that you know about the cloud, virtualization technologies, slick vendor technologies and more, and learn the things that you don’t.

With CloudCred, you earn points by doing tasks. Those points increase your status on a leaderboard of members and, if you earn enough points, enter you in a monthly grand prize drawing for some pretty cool loot.

CloudCred is more than a just fun way to flex your cloud knowledge and earn bragging rights for yourself and your team. It’s also a way to rack up on rewards and get certifications that can help you grow professionally. Stolen from the CloudCred website, here are some of the reasons to sign up:

Challenge yourself
Go beyond the type of tasks you’re used to completing on a daily basis. You could learn something.

Get recognized
Raise your CloudCred score to climb the leaderboard and get noticed by other industry professionals.

Expand your influence
Grow your sphere of influence through tasks that help you build and share your perspectives with peers.

Get rewards

Read More

Azure Strategy and Implementation Guide eBook

Scott Forehand

For those of us who are new to Microsoft Azure or in the beginning stages of planning a cloud migration, Microsoft is now giving away the Azure Strategy and Implementation Guide for IT Organizations eBook for free! Cloud architects often hear the same questions from different customers who are starting to plan out their cloud implementation process. That’s what motivated at the good people at Microsoft to write the Azure Strategy and Implementation Guide eBook, and provide their guidance in the form of a blueprint that customers like us can follow to help form our cloud strategy.

Whether you are starting with Azure or doing more general research regarding how IT teams navigate cloud implementation, this guide offers a balance of broadly applicable advice and Azure specifics for you to consider. Here is an overview of what is covered:

Chapter 1: Governance – This chapter covers the starting points, from the aspirational “digital transformation” to the important tactical steps of administration and resource naming conventions. Get an overview of topics such as envisioning, to cloud readiness, administration, and security standards and policy.
Chapter 2: Architecture – This section takes a longer look at security, touches on cloud design patterns, and

Read More

Configuration Resources for Windows Server 2016

Scott Forehand

For the most part, I run a Windows shop. Digging around for some information on the latest Windows Server operating system, Windows Server 2016, I’ve come across some useful information that I thing every administrator/engineer should know. I used all of this information to build my Windows Server 2016 VMware Templates.

Resource 1: What’s New in Windows Server 2016 Link
Windows Server 2016 has been out for a while now, but it’s always good to start with learning about what the development team focused on improving with each new release of Windows Server. This guide outlines the changes made to compute, identity and access, administration, networking, security and assurance, storage, failover clustering and more.

Resource 2: Performance Tuning Guidelines for Windows Server 2016 Link
The guide linked above focuses on performance and tuning for server hardware, server roles, and server subsystems. It dives deep into every setting, and the potential effect that setting has. That deep dive will enable you to make more informed decisions about each settings relevance to your system, workload, performance, and energy usage goals which will help you build an optimized platform for your environment.

Note: Download a PDF of the guide by following the Download

Read More

Veeam Backup & Replication Best Practices eBook

Scott Forehand

I wanted to share a free resource that has really helped me wrap my head around Veeam Backup & Replication. This eBook, written and maintained by a group of Veeam architects, is easily understandable no matter your level of expertise with Veeam and serves as a great resource outlining how to configure Veeam using best practices in your Veeam backup environment.

The eBook was released in conjunction with Veeam Backup & Replication 9.0 Update 2. It’s been updated and maintained and as of this writing, contains the best practices for Veeam Backup & Replication 9.5 Update 1.

Read the book online, or download it in PDF, ePub or Mobi format by following this link.

If you feel like showing the authors love, or just following them on social media, here they are:

Preben Berg (@poulpreben)
Andreas Neufert (@AndyandtheVMs)
Tom Sightler
Pascal di Marco
Stanislav Simakov (@ssimakov)
Paul Szelesi (@PSzelesi)
Luca Dell’Oca (@dellock6)
Edwin Weijdema (@viperian)…

Read More